The <sec:authorize> tag conditionally renders its content based on role-based access control
using SecurityContext. It provides three mutually exclusive ways to check user roles: single role check,
any-of-roles check, or all-of-roles check.
To use the security taglib, declare the omnifaces.security namespace in your Facelets view:
<html xmlns:sec="omnifaces.security">
The <sec:authorize> tag requires exactly one of the following attributes:
role, anyRole, or allRoles.
Use the role attribute to check if the user has a specific role. The content will
only be rendered if the user has the specified role.
<sec:authorize role="ADMIN">
<h:link value="Admin Panel" outcome="/admin" />
</sec:authorize>
Use the anyRole attribute with comma-separated role names to check if the user has
at least one of the specified roles. The content will be rendered if the user has any of the roles.
<sec:authorize anyRole="ADMIN, MODERATOR, EDITOR">
<h:link value="Content Management" outcome="/cms" />
</sec:authorize>
Use the allRoles attribute with comma-separated role names to check if the user has
all of the specified roles. The content will only be rendered if the user has all of the roles.
<sec:authorize allRoles="ADMIN, AUDITOR">
<h:link value="Audit Logs" outcome="/audit" />
</sec:authorize>
The optional var attribute exposes the boolean authorization result as a view-scoped
variable. This is useful when you need to use the authorization result in multiple places without repeating the
role check.
<sec:authorize role="ADMIN" var="isAdmin" />
<h:panelGroup rendered="#{isAdmin}">
<h:link value="Admin Panel" outcome="/admin" />
</h:panelGroup>
<h:outputText value="Welcome, Administrator!" rendered="#{isAdmin}" />
The variable is always set regardless of whether the content inside the tag is rendered or not.
This tag requires SecurityContext from jakarta.security.enterprise to be available. If the
security context is not available, a warning will be logged and no content will be rendered. Make sure your
application has Jakarta Security properly configured.
| Name | Required | Type | Description |
|---|---|---|---|
allRoles | false | jakarta.el.ValueExpression
(must evaluate to java.lang.String)
| Allows content to be rendered if the user has all of the comma-separated roles added here. Mutually exclusive with role and anyRole. |
anyRole | false | jakarta.el.ValueExpression
(must evaluate to java.lang.String)
| Allows content to be rendered if the user has any of the comma-separated roles added here. Mutually exclusive with role and allRoles. |
role | false | jakarta.el.ValueExpression
(must evaluate to java.lang.String)
| Allows content to be rendered if the user has the role specified here. Mutually exclusive with anyRole and allRoles. |
var | false | jakarta.el.ValueExpression
(must evaluate to java.lang.String)
| Name for a boolean EL variable containing the authorization result. Always set regardless of whether content is rendered. |
Output generated by Vdldoc View Declaration Language Documentation Generator.